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This is sort of my little rant here, and I apologize for this.
If you ever read anything on this topic, you go to the professional papers,
you'll always see people talking about critical infrastructure,
minimal essential infrastructure,
all the things that they claim computer hackers are going to do
in terms of cyber war attacking the U.S.
They always give you this sort of nice long list of things they're worried about,
but they never tell you where they got it from.
Well, what's kind of interesting is that list was cribbed from one of my early papers,
and because I never published the methodology that that list was derived from,
No one can actually supply you with where that list came from.
I'll show you the tool that generated it, and it would be nice if from now on some people credited the source.
So let me just talk a little bit about where information operations came from,
and I'm going to do that by backing off the topic a little and getting abstract, which is about progress.
And progress is sort of both analog, meaning it's a nice, smooth situation, and it's punctuated.
You have developments.
This is kind of Tothers, the third wave thing, where you have the industrial age,
and then you're moving on to now the information age.
And extrapolation at times can seem like complete nonsense.
And so, for instance, I'll give you an example here.
For example, motive power, where if you were to go back to a time period when all we had was muscle power,
you look at your curve and you go, oh, a man walking.
But if you start to increase that curve, it becomes nonsense.
You have a man running thousands of kilometers a second.
It just doesn't make any sense.
So that's obviously not what's going on.
So what's actually really good.
What's really going on is that progress occurs.
We have new options that occur, and that actually creates punctuations.
So you move from human power up to animal power, simple machines, mechanical, steam engine, internal combustion,
and then, surprise, surprise, nuclear power.
And, you know, this is sort of in parallel with Moore's Law, where if you were to go back,
you know, Moore's Law should have been violated, what is it, four or five times now,
where we shouldn't have actually been able to move to the next level of progress,
and actually a breakthrough occurs and we just sort of keep moving up the curve.
So some progress, obviously, goes beyond linear improvements.
It creates a whole new breakthrough that creates new capabilities.
And let me drop back to a little bit of history for you for a moment,
and that would be an example of oil and internal combustion.
So as you're well aware, the oil industry really started at the turn of the century, the 1900s,
and we started to see some impact back in World War I, and there was a new petroleum industry.
And the oil boom sort of leading up to World War II became absolutely pivotal to conflict.
Oil was a major cause of the conflict.
Anyone who knows the history of Japan,
recognizes that much of the moves that they were doing in what precipitated Pearl Harbor
was their need to control their oil supply.
Oil was essential to combat power.
If you didn't have oil, you weren't going to be out there and fighting the war,
and it was critical to production capacity.
And just for everyone who can remember their history, and you'll hopefully remember this,
the U.S. didn't win the war based on being really, really good in the military.
They won the war on the fact that we were able to flood the Europeans and the Japanese with equipment.
So the impact.
It was actually fairly significant.
What was that impact?
Well, the impact was the power compression ratio.
Suddenly you were able to do things you weren't able to do before,
like, oh, put airplanes into the air.
So that changed ground forces.
We had tanks.
Naval combat.
Suddenly the ships were able to do all sorts of things they couldn't do before,
and it sort of created air power.
And again, these systems wouldn't have existed if it hadn't been for the oil industry.
So the power of oil.
What happened?
Range was dramatically improved, and you had extended force projection.
What that basically means is you're able to take off off of carriers.
You're able to move ships out further.
Speed and mobility led to what's now referred to as tempo and maneuver.
And supply and sustainment became easier, which is what's referred to in the military as interior lines,
but also extremely vulnerable.
If you remember, much of the early part of the war was about German submarines taking out supply lines.
So what you can do is you can think of it in terms of this as effect per unit density,
and that's what actually made the difference.
So let's move on.
For anyone who remembers their information theory,
the internal combustion engine is a Carnot cycle, which means it runs on a difference.
If you don't have your heat sink, everything really starts stopping to work.
And in Bateson's term, the heat sink is a difference that makes a difference,
which I, of course, bring up here.
So basically, you can look at that as basically a difference engine,
which is the same thing that's information.
Surprise, surprise.
And in military terms, information reduces uncertainty,
and so the parallels are actually kind of important.
And as we're seeing now, the information industry is creating just as much of a transformation in the world
as the petroleum industry did.
So it's worth recognizing about conflict that conflicts are generally not won.
They're lost.
Friction is the common source of loss,
which basically means that you just sort of try to keep things going as long as you can
until the other guy runs out of steam.
You can look at that for the Germans, you know, the Battle of the Bulge.
That sort of thing.
And lack of a difference, in other words, not having information,
is referred to in the military as the fog of war.
So just as in the physical world, there are all sorts of things, friction that occurs,
and that impacts on your actual intentions and capabilities.
Just so everyone understands this, you can have capabilities, meaning, you know,
I have nuclear weapons, I can blow you up.
Am I actually going to use them? Yes or no?
That ties into my intentions.
You have to understand the difference there.
Because one of the things I'll be explaining later on is
hackers now have the capabilities to do all sorts of damage.
They just don't have the intentions,
which is another thing that we need to point out to everyone in the audience
who works for the federal government.
So the more information you have, the less friction there is,
which basically now becomes integration of intelligence and conflict.
Information operations are intended to create friction.
And again, you can get all sorts of valuable intelligence.
Let's try and move forward here.
Okay.
Basically, these are the things you need to understand.
What petroleum did was created obviously the concept of range,
which means, you know, non-locality in our current terms.
Speed and mobility translate to instantaneous simultaneity.
And effect per unit density means impact per unit energy.
What that means is that somebody can attack a system from thousands of miles away.
They can attack it from distributed points from all over the globe.
And they have, you know, all sorts of effect completely out of line
with what they put into it as an investment.
So this is why everyone is afraid of computer hackers, just as a functional process.
So again, a little more explanation here.
In terms of examples, you know, computer hackers in Russia breaking into Citibank.
Instantaneous simultaneity when operations take place in microseconds.
You know, that's not that difficult to understand.
The distributed denial of service attacks are a good example of that.
And the impact per unit energy, what's a good example recently is the U.S. dependence
on GPS units.
I don't know if anyone remembers Desert Storm.
But if it wasn't for the soldier-held GPS units, they really wouldn't have been able
to navigate very well in the desert.
Well, in the next conflict, I don't think anyone's going to be able to be too certain
that GPS units are going to work because it doesn't cost very much to build a jammer.
So it's just one of those interesting things that we're going to start seeing this sort
of thing really showing up as a major play in the next set of conflicts.
So there we go.
Information is critical to future economies.
It's a part of every aspect of conflict.
It's being separated right now by the military because they haven't learned how to integrate
it in.
And as information becomes the building block, that's obviously going to make everybody a
lot more vulnerable.
So here we go.
Is that visible?
Can people read that?
Not really?
Ah, shit.
Hmm.
Okay.
Tell you what.
I'll just tell you what it says.
What I had is I had an epiphany a number of years back.
Which is basically there are actually three cycles.
Don't hold up four fingers.
Hold up three.
There are three cycles that are actually isomorphic, meaning that they function very much the same
way.
And the cycle on the outside is observe, orient, decide, and act, which is known in the military
as the Boyd cycle.
Now, Boyd goes back as far as Korea.
And in Korea, he was a fighter pilot.
He got involved in a dog fight.
And when he survived the dog fight, for the life of him, he couldn't figure out really
what he'd done.
He'd done something correct to win.
But afterward, he got introspective and said, if I can figure that out, I have an advantage
in future dog fights.
And it'll help other pilots.
So he sat down to try and figure out what occurred.
And what basically happened was he looked at his aircraft.
He looked at the opponent's aircraft and said, I have a better view of the outside
world.
And I can also maneuver faster.
His airplane was actually slower, but it responded faster.
And so what he realized is that this is sort of time competitive activity that the faster
you could turn over your decisions faster than your opponent could.
It gave you an advantage.
So that's cycle one.
Cycle two is, starting at the top and reading around clockwise, is context, content, constraints,
and consequences.
And this comes from sort of chaos theory, the science of emergence.
And basically, what you do is you look out at the world, and you recognize that you have
an environment.
There are things that you distinguish out of that environment.
There are constraints for interaction.
And then what occurs in that environment has consequences.
And then you cycle back through again.
And then the final piece is data, information, knowledge, and wisdom, which if anybody has
a background in cognitive science, is sort of the knowledge transformation that's become
very important to the modern world.
And you probably can't read the differences.
Let me sort of go through here.
So how does, you know, observe, content, and data move into the next bubble?
See if I've got that.
Yes.
Well, here we go.
That's sort of what I just explained to you.
Here we go.
Okay.
Observe, context, and data.
Data, which is sort of at the very top of the cycle, is what we experience directly
through proxy, which is instruments, video cameras, human communication.
I may be there, and I may be understanding what's going on, or I may be relying upon
somebody showing me a videotape.
It's also the context.
It's where we are.
It's our environment.
And in terms of decision support, it's sort of raw intelligence.
This is, you know, how we look at the world around us.
So then you move to orient content information.
And this is done by filtering.
So basically, you can look at everything on the web itself as data.
When you go to a search engine to look for something specific and you then pull that
up, that becomes information.
Basically, you've done that by saying, I don't want all the other stuff.
This is why if someone actually tells you that we're living in an information age, sort
of laugh at them.
We're living in a data age.
We haven't become really good at this process yet.
Context difference in the content, which is true.
You basically say, what is it that I used to make my decisions?
I want this versus I'm not interested in that.
Where is your attention directed?
This comes in, and this is particularly critical in the Observe Orient side act.
Orient is what I'm facing.
In other words, if I'm looking at you this way, I'm not too certain what's going on behind me.
So you'll see where this fits in later on.
Obviously, wherever I'm focused is something that's important to me.
Wherever I'm not focused is an area of vulnerability.
Boundaries, distinctions, and differences, I think you all can recognize that.
And decision support in terms of what's actually important.
So here we go.
How do you move to the next stage?
Well, you provide analysis and abstraction, production to practice.
This is sort of intracontextual information.
It tells you what's going on in just that environment.
You learn about your constraints.
And again, this is sort of, what are your decision points?
Where do you make your decisions at?
Sorry, I'm sort of going through this, but I've actually got a lot of slides, and I was stuck in the newbie section.
So I think everyone's pretty clear on this sort of thing.
Let's move to the fun stuff.
There we go.
Tempo.
This is one of the advantages that computer hackers have.
So at the very beginning, you start out with getting your information.
Then, of course, you filter it.
And then you make your decisions.
And then you react and respond.
Guess what?
Hackers have an edge here over everybody in the military, everybody in intelligence, everybody in corporations.
And why is that?
Because they are hierarchical rather than hierarchical.
And we can talk about what the difference is.
But basically, hierarchies are organizations that your authority is based on your position.
And your position is generally enforced by your control over it.
It's a level of information.
And obviously, for computer hackers, this is not something that they're very fond of.
So what hackers have is hackers have sharing and a community memory.
The tool base out there is amazing, and the level of just passing information about exploits is incredible.
That's what computer hackers refer to as information wants to be free.
But it's also worth pointing out something far more important, which is that information defies control.
Once I say something to you, I don't get to take it back.
And that can carry on.
And carry on.
And carry on.
So it's important to recognize.
So I don't know if anyone saw Bamford's speech.
But again, they tried to come back to him once they released a report.
And they couldn't put it back.
So when people talk to you about things like crypto being the genie's gum out of the bottle, that's what they mean.
Here's a Fight Club quote.
So it's worthwhile to recognize.
This is actually from the book, not the movie.
So you won't recognize it if you've only seen the movie.
One of the other striking parallels between what's going on in Fight Club and the hacker movement.
Is much of what was going on as sort of the personality cult of Fight Club was very much based on what you can see in the hacker communities.
Including things such as it's always going to be free.
So let me see.
Summary stuff.
I don't think we need to go into any particular detail there.
I can explain some of this later on.
I think I've got some additional slides.
So warfare, independence, and infrastructure.
Okay.
This is the overall conceptual strategy under which everything else falls in.
This is basically warfare on the decision cycle.
And the Boyd matrix looks at the core cycles and turns them into the target.
Let's bring that up.
So basically this is something I invented because I had to keep thinking about this.
And since you've got a four-step cycle, you've got 16 possible combinations of attack and failure.
Which makes it pretty easy.
So you can start pulling this up.
And you can actually start looking at warfare by where it hits the Boyd cycle.
So you can just sit there and say, hmm, 0010, observe, orient, decide.
So basically, you know, maneuver warfare goes after the decision part of the cycle.
Which is what we all are familiar with from maneuver warfare.
Guerrilla warfare attacks where people aren't paying attention.
Which is why it hits on the orient part.
Political warfare, attrition, these are all pretty clear.
But when you start hearing people talk about critical infrastructure, surprise, surprise.
This is where it came from.
You can sit there and say, great, based on that cycle, what we know about people making decisions.
Which is what it's all really about.
Is what supports those decision-making processes.
And you've got communications, power supports certain things.
Fuel, schools, you know, water.
So, yeah.
And it's not going to be really visible again.
I just gave some examples.
And some more examples.
If anybody wants the slide show, we can talk about that afterward.
So, hmm.
I'm sure you've heard this from other people so far.
Cyber wars, the whole concept of the Pearl Harbor scenario is bullshit.
Allow me to call bullshit on it again.
There are some folks, you know, out there in the audience who probably are making a lot of money off of walking around scaring people with,
we're going to have mass hacker attacks by computer hackers.
It's going to take everything down.
And they're using it as a justification to keep cryptography under control and to, you know, go after computer hackers and do all sorts of unpleasant things as well as push up their budget.
But the U.S. as a target is still, it's a load of crap.
The truth about the U.S. is basically it's resistant to denial.
And let me explain sort of something you need to understand about the U.S. economy.
The U.S. economy has been gifted by two really interesting things.
It's got plenty of space and it's got plenty of resources.
So, if you were to compare the U.S. and the U.S. economy.
It's against, say, for instance, an Asian economy where they have a very limited amount of space.
Some of them things like Singapore and other countries.
And they have a very limited amount of resources.
What they've had to do is be very, very careful with what they use.
So, they're actually more susceptible to denial and not as susceptible to subversion.
And the U.S. is reversed.
It's not about denial here.
It's about subversion.
And let me give you an example on this.
In one sense, if someone were to take, you know, attack a hospital system and basically shut off all their medical records,
the hospital would recognize that this has occurred and probably not rely upon that.
But if you were to break into one record specifically and change somebody's blood type or to say, oh, they're a diabetic,
and then you just sit back and wait.
Well, when that person's admitted, they've been typed in cross-matched wrong.
So, they're going to be given the wrong blood and they're probably going to be given insulin.
So, again, this is where subversion is a lot more effective and obviously a lot more dangerous.
The only time I get worried about the Pearl Harbor scenario and what's referred to in the military as the combined arms approach,
which is that there's something else going on at the same time.
But the U.S. doesn't have quite as much of a concern about being invaded as some other places.
So, back to my Fight Club quote.
What I want to do here, the first quote is directed at hacktivism and script kiddies as well,
which is basically sticking feathers up your butt does not make you a chicken.
So, and, you know, not to be insulting about this, but, you know,
running somebody else over.
So, scripts and exploits written by some of the very brilliant hackers at conferences like this
doesn't turn you into a computer hacker.
And, obviously, point number two, I think is the important one at the very bottom here,
is all a gun does is focus an explosion in one direction.
A lot of this is about directed force, directed, oops, I've got a question,
is about what am I targeting?
And I'm also trying to help you at this point in time not get targeted by bad people.
Question?
Just to go back to your previous point, you said that,
are you talking about attacks by sovereign nations or licensed sovereign nations
against the United States where you haven't done anything in general?
Are you talking about attacks by sections or operations working within sovereign nations?
The question was a clarification on the Pearl Harbor scenario.
What it boils down to is you should, if you take a look at some of the literature,
it's been a very big thing.
They've called it the Waterloo and Pearl Harbor.
Basically, it would be a massive sneak attack on the U.S. military and U.S. economy.
And that, just like the Japanese thought in World War II,
that would supposedly put the U.S. out of the conflict.
And that's, again, the whole emphasis.
And, of course, those are people who are not remembering what occurred after that,
which was that Pearl Harbor became a rallying cry
and essentially started the U.S.'s entry into World War II.
So what I'm basically trying to express in this is the scare tactics
used by these guys who are profiting off of, you know, the Pearl Harbor scenario.
You know, don't buy it. It's a load of crap.
And that's just kind of what I'm trying to get across.
Does that help?
What I'm saying is, let's say in the Pearl Harbor scenario,
are you talking about sovereign nations establishing agreements with the United States
largely from the Pearl Harbor Telecom,
or having the capability to function from the Pearl Harbor Telecom?
What? Okay.
Are you talking about independent institutions?
Are you talking about any particular group?
Right.
Okay.
The question is, is this going to be an attack by a sovereign nation,
which is essentially an act of war,
or whether it's going to be an independent group,
which could be of any sort of arbitrary composition.
And what I would like to point out to the audience is that you're all sovereigns.
The joke is that sovereignty used to be defined by having a sort of military arm
that you could use for force projection.
And then the defining factor of power became nuclear weapons,
and everyone wanted to be in the nuclear club.
That's why some countries still pursue nuclear weapons sort of aimlessly,
just because they want to have them belong to the club.
What I think needs to be clear to everybody in the audience is that what I'm telling you
and what I think you already know is you have just as much power as a sovereign in this domain.
You may not be able to launch a mass attack personally,
but if you were to sit down and plan for two years, map out the computer network,
look for the vulnerability points, and then, for instance, go out and crack 400 systems
that were just sitting there waiting for you to give it the command,
you could launch a mass attack simultaneously against whatever your target is.
And that can be a sovereign, it can be a corporation, it can be another individual.
But you have the exact same power in this domain as a sovereign does.
And that's one of the key points you have to understand.
And this is, again, another factor that is obviously going to scare folks,
is you are much more on the ball.
You're much more on the ball in terms of this than the sovereigns are.
You know how to use the tools, you communicate, you share.
The trick is that what you're missing is some of the sort of methodology
to think about what the target were to go after things.
And I'm not encouraging that.
Let me make that clear.
But this is out here, and you're going to start learning about it.
And some of you, I suspect, are also going to start getting recruiting calls,
particularly amongst the best of you.
I'm sure you've already probably been approached by,
you know, this sovereign nation or that military group or something else
with probably a very attractive offer.
And what you have to understand is that that's going to start –
people are starting to take sides.
And this is to start educating you so you are not going into this without a clue.
So I'm going to skip over that simply because I should have put it in a much larger font
and broken it up into multiple slides.
I thought the projector would be better.
What this basically was is I sat down and said to myself,
based on what the threat is,
based on the probability, what are the consequences of it,
and what is the sophistication.
And because of what's going on with the globalization of the economy,
the probability of attacks is obviously going up.
The consequences of attack is going up very rapidly.
And the sophistication necessary to launch these attacks is going down precipitously.
So let me see.
Open source intelligence, intelligence without espionage.
Works best against the West.
If anyone is actually interested in this sort of thing,
there's actually a really, really good manual written by the Chinese available on the net,
which basically tells you how to go out and using open sources,
you can basically collect everything you could ever want to know.
And then obviously there's been competitive intelligence programs operating against the West
for forever and a day.
An example, and I can just sort of give you things.
Don't know if anyone was at Bamford's talk yesterday,
but he was talking about having to go through this long, rigorous process
for Freedom of Information Act and everything else to get information about NSA.
And I was going to point out two interesting things.
For example, there's something called the Maryland Procurement Office,
which all the black programs, meaning the secret programs,
all the purchasing was done through the MPO.
Now the MPO obviously wasn't paying very much attention,
and they actually put all the purchasing requests for classified budget stuff in the open database.
So if you want to go back and look at what NSA has been buying for the last couple of decades,
all you have to do is hit the MPO,
and you can actually watch all the equipment purchases.
You can figure out what they've got in the giant basement at the bottom.
The other thing that's interesting is you can hit the IBM patent server.
He was talking about Echelon,
and some people were asking questions about Echelon's technology as well.
Well, if you were to go to the IBM patent server and pull up,
I think one of the primaries is shown, S-C-H-L-N-E.
There's something called Semantic Forests,
and Semantic Forests is basically the technology used to analyze the output from the Echelon system
and filter down what you're looking for.
So this stuff is out there.
It's all open source.
You really don't have to work very hard for it.
You just have to know how to work the system,
and nobody works the system better than computer hackers.
So let me see.
Psychological operations.
Let's pass over that.
Let's get to the stuff that I really wanted to try and bring up here about computers.
Hello?
It's not mine.
So capabilities versus intentions.
Hackers have the capability.
They have the capabilities.
The tools are out there, guys.
All you have to do is decide what vulnerability you want to attack
after you've taken a look at the system,
and you can find as many things as you could possibly want.
What basically you're missing is a doctrine,
what's referred to as an ontology or basically a process in the structure.
Think about these things.
And the big problem with computer hackers is that your intentions are pretty fuzzy.
You're sort of unclear on your motivations about doing things.
Oh, and my battery is fully charged.
Thank you.
Come on.
Oh, shoot.
There we go.
Where did it go?
There we go.
There we go.
Okay.
Motivations and intentions of computer hackers.
Some of you probably don't know.
Some of you are at least sort of introspective enough
to have considered some of these things.
Why do you do things?
For political motives, profit motives, pathology, social motives, and practical motives.
Let's talk about some of this.
Here's a Fight Club quote, again, which I think is important to go into.
And I recognize this when I'm at DEFCON.
One of the things that Tyler Durden was using as a motivational factor in Fight Club
to put together the Fight Clubs was the fact that,
a lot of you out there don't know where you're supposed to be going.
What's your place in history?
Where are you going to be going with your lives?
And you're not real happy about that.
In fact, as we say here, they're very, very pissed off.
You know, some of the stuff that I see going on in terms of breaking into websites
and some of the other stuff is clearly showing, you know,
a fairly high degree of anger at somebody.
And that's actually counterproductive.
So what's the hacker profile?
Let's talk about this.
Just so you know, I mean, you know, a long, long time ago,
in a galaxy far, far away, this was where I came from.
So I recognize this in myself, and I recognize this in a lot of other people.
We've done a lot of work on this to develop it.
What's going on in terms of what's going on with your behavior?
Let's start at the top.
Behavior is patterned, which basically means that there's a high degree
of sort of obsessive-compulsive behavior or monomaniacal.
You will pay attention to levels of detail that would drive other people crazy.
And if you decide that you want to do something, you're not going to stop.
You're going to keep at it until you're successful.
There's also sort of addictive tendencies, which is, you know,
you like the adrenaline rush.
You know, stress is good for you.
Right now, you know, there's a lot of people who are medicating their kids
because they have attention deficit disorder.
And, you know, that's another thing I think is a lot of crap,
because what it just means is you're not getting enough stimulus.
You guys all know this.
You know, you need as much going on around you as you can get.
I know I need that, and you're all the same way.
And I apologize for this being slow.
So ego and identity issues, again, here.
You know, you're acting out, demonstrations against authority,
and real issues about being controlled.
Linguistic manipulation, this is something that other people have mentioned.
It's worth going into a little bit in detail.
Hackers have their own language.
And what this means is that we are isolated from the community at large,
and we're also only talking to other people that we can talk to.
Who else understands us?
Well, other computer hackers do.
So what that does is it isolates us from society,
but it's self-reinforcing inside the small private community of computer hackers.
So you need to understand that what you're doing is you're cutting yourself off
by the very things that, you know, are actually working their way into your language.
And then this is where Kevin Mitnick got into big trouble.
Very, very good at role play.
He was very good at social engineering because he could pretext like nobody could believe.
You know, he could sit down and get into a role just as well as an actor could,
and was so convincing he could talk them out of anything that he wanted pretty much.
You know, that's called sociopathology.
And, you know, if somebody here should talk to Luke Cook
because he's got some interesting ideas on this.
And then basically what this can also boil down to is you have a sort of blurred sense of real identity.
I know Kevin, you know, really was missing a kind of core internal knowledge of who he was himself
and some sort of difficulty distinguishing games from real life.
And real life has consequences.
If you do something bad, something bad's going to happen to you.
So that's not a good thing.
And this is kind of, as I've been walking around, oh, another question.
What kind of case studies or technologies is that based on?
Okay, there's actually, it's from a lot of research done with a couple of other people.
And, you know, we can talk about that if you want to.
We can go into a methodology that's, I know that, I thought Lou was going to ask that question,
but there's actually a methodology behind this.
And we can talk about some of this.
But the big issue here is most of what's being used as a profile for computer hackers
is actually based on the, sorry about bringing this up again,
the intelligence community and the FBI have done really, really extensive work
on double agents and moles and defectors.
And much of that right now is, if you look at much of the literature that's about computer hacker profiles
and sort of, you know, those who commit crimes that relate to computers,
so, but you don't have to say there's an intelligence community.
And now we're getting more and more haven't been talking about this,
but I think there's some more evidence that you see that's working.
So I think you may be, I'll ask again.
Yes.
There's more and more, yes.
Okay.
The model that much of what's being used is sort of at odds with this
because the model that's being used is the model for doubles,
for people who were moles, people who defected, which does not have the same traits.
You should look it up sometime.
There's actually on the CIA's website, they've actually got a couple of good profiles
of what they've done in their prior work on double agents and what they see as the mechanisms.
There's also a book, Private Lives of the CIA,
which has some of the papers that were published out of CIA's internal journals
that have been declassified, which go into the profile as well.
So you have to understand that's where it's coming from is the conventional approach,
and we need to get away from that because it's just not healthy for computer hackers.
Just some minor comments.
Hackers always have those ego issues and power issues,
and I'm hoping for more self-knowledge and self-improvement.
And, again, I drop back to a Fight Club quote.
One of the things that computer hackers,
what computer hackers get is a feeling of power.
I mean, you're finally in control of something.
I know that that was one of the things that drove me into it.
I needed to have something in my world way back when that was explicitly mine.
And, you know, again, once you start going around,
and I can see this in some of the guys out there on the challenge floor,
they start to look at the world in a very different place.
You know, I could do something to these people, or I could get even.
So...
So, if you want to look at...
If you want to look at hacker communities,
I think of hacker communities as sort of tribal or nomadic.
And, of course, what that takes is an inspiration and reputation to get ahead.
On the other hand, it's still a pretty primitive culture.
Find any one of the women in the audience
and ask them to explain their view of women in technology and women in hacker culture,
and you'll see sort of what I mean there.
So, what are the interactions?
Let me see. Let's just move on.
Okay.
So, I mentioned at the beginning of this, one of my concerns is that, you know,
suddenly a Tyler Durden or, you know, Messianic sort of figure shows up
and is trying to lead the hacker movement.
I was at Simple Nomad's presentation, and he made some kind of a comment about,
we have to get organized.
Well, you know, a big concern that I have is, yeah, you know,
someone is going to show up and organize people,
but it's not going to be, you know, towards really beneficial ends.
So, things that you...
I guess what I'm trying to do here is sort of inoculate you against other people,
leading you somewhere, controlling you, doing something bad.
Just this is to raise your awareness level personally.
The people you need to look out for have these sort of characteristics,
which if you look also at the people who are very big in the computer hacker scene,
they share these characteristics.
Have to be articulate because the community's virtual communication skills matter.
Those people who write, write well, and distribute are the ones that are getting the attention.
Being knowledgeable helps to be more than a script kitty.
Those people who write the exploits or find the vulnerabilities are the ones who get the accolades.
Be informative and share.
Again, information wants to be free.
All of us respect that.
And being skilled.
The people that we know, the names that we recognize are those people who've done things.
It's one of the reasons that people keep going and hacking websites.
So, being connected.
Again, we still have things like, you know, CDC and other organizations out there who,
if you're a member or that's who your buddies are, you know, that translates to social position.
But being real always helps.
What's interesting, and you might want to consider some of this in your own lives,
in terms of who you respect, the, sort of, top computer hackers are those people who are, sort of,
also doing something beyond computer hacking.
They actually have something else going for them.
Being directed is extremely important.
Obviously, there's a lot of people out there who don't know where they want to go in life.
So, they're attracted to somebody who does have a direction.
And being different.
And I'm, sort of, guilty of this.
I'm the one wearing a suit.
I don't think there's anybody else in the entire conference who's actually walking around in one.
And I, by the way, haven't even had somebody say, spot the Fed, which is kind of cool.
So, this goes back to the ego issue, which is how it's, sort of, easy to lure computer hackers in.
Which is, how's it working out for you being clever?
I know back in my era of this, I had a hell of a time, you know, because attention's always good.
Even bad attention.
So, the trick was to do something that shows how clever you are.
And any attention's better than no attention at all.
So, where can you go out there?
Well, you've got some pathways.
Corporate, military intelligence.
Let's talk about that a little.
Where am I on time?
We're okay.
Okay.
Corporations do not like computer hackers.
I'm sure some of you have gone through this already.
You can read what's going on in the press.
Large corporations where you could actually have some job security and, you know,
do something with your life, just don't like people with a hacking background.
If you are a self-professed hacker or even show some of the outside, you know,
exhibition of being a computer hacker, tattoos, wearing leather, little things,
they're generally not really happy to hire you.
I've got a question in the back.
I think you're missing a distinction.
I think you're right.
Your assertion is that corporations don't like computer hackers.
My assertion is that a lot of them don't know that.
You look at it in terms of work.
I can point to any Fortune 100 or a number of others that have been around to go to work
where people are in denial about it.
The reality is that some people get the job done, so I would argue that the fact is that
they don't like to see real distinction.
Right.
And I sort of agree with that because I've commented in the past,
what's the difference between a hacker and a cracker?
You'll always get into that sort of pissing contest with people where they demand that
you use the term cracker for those breaking decisions rather than hacker.
The difference that I commented on before is that the hacker is the guy who generally
owns the company now.
You can go back as far as Jobs and Wozniak building Blue Boxes.
You want to look where the original money came from to support Apple.
They were out there doing that sort of thing.
I'm not saying by definition that that's what's going on, but if you look later on, it's not
like Apple's running around building a really good security arm by hiring some of the best
hackers around there and Microsoft, who could certainly afford to hire just about everybody
at the conference here.
And turn them loose isn't doing that either.
And they get up on their high horse.
And IBM is one of the worst offenders on this.
They'll sit there and say, no, we're not going to hire somebody with a questionable background.
And particularly on the military side, if you've done anything even questionable, they're
not going to go near you just simply because they don't want to give you a clearance.
So you're prohibited from getting a secret, top secret, and code name.
Where do you go then?
One of the few groups in the world that could probably appreciate what you could do for
them don't even want to talk to you.
From the other side of this, in terms of hackers, hierarchies, which are what corporations
are, are basically maintained by position.
Somebody at the top is going to be able to tell you what to do, and much of how they
maintain their authority is through control of information.
This does not bode very well for computer hackers in an organization.
And more importantly, authority doesn't like to be challenged, and hackers are all about
challenging authority.
So face it, hackers are a control issue, which is, that's why they don't want to know.
That way they can sit there and say, well, we hate hackers.
They had nothing to do with it.
It's really not liability.
But on the other hand, this is worth talking about, and this also goes back to the point,
which is worker bees can leave, even drones can fly away, the queen is their slave.
Some of these corporations would not be anywhere if it were not for the computer hackers actually
putting things together in the garage, in the basement, in the back office, the guys
who are stuffed in who don't have a window.
So they're making money off of your hard work.
So the military intelligence path.
Guess what?
The lifestyle and the pay sale, they suck.
Definitely something to be desired there.
You get to learn some cool things.
The weapons are fun.
But if you think corporations are bad in terms of authority, the military intelligence is going to be much better.
Also, what a lot of people don't seem to understand about the intelligence community is it's not like the movies.
It's mostly pretty dull, and it's just not going to be good for you.
Now, the other concern that I have, particularly in this day and age, is false flag operations, which in intelligence are
going to be weak, and I think New York Times is doing an excellent job.
So they're able to apply false flag operations, make a lot of money off of that.
So what are we doing about that?
Well, the reality is that they work for so and so side.
And of course, they don't work for that side at all.
Asian cultures, the Israelis are really famous for this.
Let's go on.
So here and now, when the going gets weird, the weird turn professional.
I would actually recommend to anybody in this audience who actually has a skill base to fall back on the old cypherpunk ethic.
which is, you know, cypherpunks write code.
Some of the best things that are out there in the net actually came from,
pardon my tooting the horn on the cypherpunks for a moment, came from the cypherpunks.
Nobody would be where they are right now in terms of the success of the community
if it weren't for the cypherpunks.
But I also want to point out something here.
Cypherpunks weren't just operating against Uncle Sam.
They were also concerned about things like Scientologists.
And everyone sort of is forgetting some of the early heritage of that
and need to go back and recognize, you know, we have a big debt to owe there.
So the other thing I want to point out, and this is sort of my ego stroke to everybody in the room,
and I apologize for this in advance, you guys are the forward edge.
I recognized this from way back in my period, and I'm seeing it in everybody around me here.
Your profile in terms of the way you behave was far and away, you know, you're ahead of your time.
You know, we're in an era now which is, you know, sort of completely globalized, 24 hours a day,
seven days a week, extremely high tempo, and most people are not going to be able to handle it.
You guys can, and that's going to make you the power players very soon now
because as the old school dies off or they can't make decisions fast enough
or they fall out of the marketplace or have problems, you know, that's it.
You get to take over.
It's the power vacuum.
Also, and this is something, you know, I've known and communicated with people
here for years, I mean, one person that I've been communicating with for about five years,
I consider him a friend, I've got a great relationship, this is the first time I met him.
We can do things, sort of like virtual relationships in a virtual community,
that don't make sense in the old corporate face-to-face world of I have to shake somebody's hand
and see what they look like before you can actually move forward with them.
In a world of globalization, again, the way that we build relationships provides a distinct advantage
over the old school.
And, of course, you all think non-local, you're all inherently globalists, you're virtual,
you look at the entire world, you're willing to consider things
that are not directly what's in front of you.
You've built, you know, incredibly complex modeling skills in your head.
You're also, and I'm sure all of you know this, what is called continually
and completely connected, which is con-com there.
You know, you're using your computers, your cellular, you know, a lot of people
who would like to gargoyle themselves, you know, and that's, some of you probably have, I mean,
I may not even recognize it, but it's something that's a distinct trend, and again,
you guys are the forward edge of it, so don't lose that opportunity.
So, but what we need to point out is, you know, what are you doing with it?
You know, time is marching forward, things are moving on, and, you know, we've, I don't know,
I think we've hit a lull.
I don't see, and I apologize again to the cypherpunks,
to be honest, what's come out of the cypherpunks recently?
I can't think of any.
So, you know, we need to, we need to start getting that ethic back and starting
to move things forward again.
Let me talk a little bit about what I think is the wrong direction very quickly.
I don't want you to be a space monkey.
I don't want you to get used.
I don't want you to get sucked into playing the role.
There's going to be a lot of people out there who are going to try and keep provoking you.
They want you as the bad guy.
You justify their budget.
You justify their lives.
From the defense side, on the commercial side of the house, defense contractors are guys looking
for mission.
They have to support thousands of jobs.
And that's why they keep pushing the Pearl Harbor scenario.
From law enforcement, you know, they love to criminalize you guys.
So don't fall for it.
And the other thing here to remember is there's what I refer to as sentinel events.
If something bad happens to you, you have two choices.
You can explode, which is you can blame other people, or you can implode,
which is that you can take responsibility yourself.
One of the points I'd like to make here is take responsibility yourself.
So, because if you, if you go off the handle, if you start going tribal on people's ass,
you know, it's, it's just not going to be good for you.
So, again, falling back on Fight Club, you know, what, what he was basically looking for was
people willing to sacrifice themselves to what purpose?
Don't ask.
So, role models, yeah, you can pass through that because I want to try and get to, right.
And this is, let me stop on this one.
I wanted to breathe smoke.
I don't want you guys getting angry.
If you've got to get angry.
There's places you can go.
Don't, don't do it on places where you're going to end up in prison or a fugitive or something else.
And I'm, this was something that, that I wanted to point out because it's here.
This was something that Tyler kept trying to push onto his troops,
which is exactly what people in the military have happened to them.
They take away your identity and try and rebuild you from the ground up.
And they're going to take you and they're going to make you a man.
And, you know, what they do is, of course, try to say you're not something unique.
You're not something special.
Well, every single person in this room,
is something unique and something special.
So, if you, if you need validation, you know where to find me.
Don't, don't go running off and assume that the world hates you.
So, now to, to make my pitch.
It's not a commercial pitch.
It's a philosophical pitch.
Where are we going in the future?
Who is the great enemy?
Historically, for those of you who remember hacker culture and, you know, good lord,
I've been at this one for a while.
Way back when, it was groups like Ma Bell.
It was corporations who were taking advantage
of the little guys and doing all sorts of bad things to you.
And, of course, Uncle Sam.
And I've been through this myself, having built products that, you know,
I couldn't get integrated, couldn't get sold overseas because they used crypto
and all sorts of things.
So, you know, this is, it's a, it's a bad thing.
But I want to remind you what the hackers really stand for.
And, of course, that's the freedom of the individual.
So, allow me to remind you of that when you're thinking about who to go tribal on.
Which is, think about who opposes freedom.
And you need to start thinking about what are those choices.
This isn't starting to be adults.
So, and this is my conclusion, so I'll take questions afterward.
And this is sort of the position that we're in.
So, you know, right here, we seem to think that we're not looking at the sort of next great crusade.
Nothing interesting going on.
You know, particularly in the dot-com era, everyone was looking at the fact that,
just as we say, we all could have become billionaires if we just sort of been in the right place
with the right time and the right business plan.
And, again, something, sometimes you do something,
you get screwed.
Sometimes you think you don't do, and you get screwed.
There's a lot of people out there starting to do very bad things to a lot of people.
And, you know, for instance, what some of the folks in this conference were saying is,
you know, we have the opportunity to make a difference.
We can build tools.
You know, we can figure out what to do that actually makes a difference.
And my final comment is, you know, you choose your level of involvement.
I won't make decisions for you.
Which is funny to actually having come out of Tyler, who kept doing that for people.
So, let me see what I've got.
Basically, I'm at 50 minutes.
So, I should be turning this over to the defendant.
But does anyone have any questions?
Fire.
I'm sorry, but I still don't think this answers my question about .
Okay.
And in saying that, yeah, I honestly don't believe that there's a solid nation plan.
Even the United States is capable of launching a true crippling, distributed,
into a war or into a spiritual infrastructure attack on the United States.
But there have been many, many,
you know,
there have been a significant number of scenarios coming out of research
dating back, you know, to the early 1990s, 1992,
that all it's going to take is one or two semi-coordinated political organizations
that have operations to launch this guy at the same time.
Right.
Before other political organizations and other options and other road operations
with its operations figure out, you know,
this would be a good time.
Right.
There are a lot of hard plans out there and scenarios that say,
yes, one or two nations or one or two organizations would engage them.
And every other global organization on the planet would agree this against the United States.
There are many, many, many organizations in this United States
that want to launch this guy at the same time,
or by chance, or by chaos, period, or by rule, period.
And I think it's, you know, our century is, in fact, a very, very,
very entitled country.
Can you do, can you do any more exactly on that same scenario?
Repeat the question.
We're debating the viability of the Pearl Harbor scenario.
I've actually got a paper on my website that I wrote a long time ago
which pulls apart sort of the mass denial attack versus the subversive attack,
which I'd invite anybody to go take a look at.
But what,
But there was an exercise, yes, RAND has done scenarios, lots of people have done scenarios.
Some of the RAND stuff is very good.
I think you're probably referring to RONFELD and ARQUILA?
Yeah, okay.
That's what I thought.
So yes, there is some validation for this.
There was even a government exercise which showed that if you took some fairly unsophisticated
people and gave them a very small, modest budget, turn them loose.
Give them a computer, let them go out and hire up an ISP, hit the net and hit the tools,
what could they do?
And the report's classified, but what the report comes out and basically says is that
you can cause large damage to a large section of the economy for a very short period of
time.
Again, that's a key point, very short period of time.
You can power down, you can fix the problem.
I mean, all the corporations that have been hit, what do they do?
They lose service for a short period of time, eventually they solve the problem, they come
back up.
That's what I mean.
I guess I'm gonna mention the TGV report which raises a very, very small point.
They're not just a group, and it can't get through because they have no modeling data
system.
But what he said wasn't a guess.
What these organizations are doing is launching a lot of those temporary attacks, and they
continue, and they continue to come up.
So one organization launch their attack, their response time is .
And other organizations will have to launch their attack, and it's possible to continue
to give a number of organizations a share.
Right.
Right.
Right.
Right.
But you know what?
If it started to get that bad, what do you do?
You unplug the connection to the outside world.
I mean, there are plenty of places you could cut the cable to stop external groups unless they're inside the U.S.,
at which point then you're looking for all inside.
Well, right now I know, but I'm saying, you know, again, running a sustained contingency attack,
what do you want them to hit that you think is going to keep causing crippling damage?
If anything, I would say maybe if there were a lot of buildings that they could live longer in,
if they got out, they'd be wondering how to do it, how to reverse it, how.
Right.
Right.
Are you going to say that's the equation of the structure that you've got to say,
no, no, no, I'm not saying that we're not vulnerable.
In fact, my solution is entirely different.
I mean, I would go away from an access control model and go and use cryptography for everything,
but that's just my way of viewing things.
But what you're saying is, is that.
I can, I can agree with you.
Yes, the system is vulnerable, but again, at this point in time, you know,
you're not going to solve it with some of the sort of quick fixes that are going on.
You have to go back and you have to do some redesign.
And I would recommend cryptography on every motherboard.
You know, I mean, cryptographic support built into everything.
So, you know, I mean, I don't know.
I mean, I don't know what you want me to concede.
I mean, I can sit here and say, yes, there is some potential validation.
That's why I said as a combined arm strategy that the Pearl Harbor scenario,
it may actually be valid.
But why would somebody.
Can you guys please take this offline so we can get to the next speech?
Thank you.
Thank you.
Thank you.
